βA Few Hoursβ and the Slow Erosion of Auditable Commitments | UNMITIGATED RISK
A recent incident in the Mozilla CA Program put this on public display and three root programs pushed back. The pattern isn't unique to PKI. It's just uniquely visible there.
unmitigatedrisk.com?p=1123
12.02.2026 19:52 β π 0 π 0 π¬ 0 π 0
"Within 24 hours" becomes "promptly." Profiles become "per industry standards." Each edit is defensible. Taken together, they produce documents that can't be meaningfully audited.
β¬οΈ
12.02.2026 19:52 β π 0 π 0 π¬ 1 π 0
There's a pattern that plays out across every regulated industry. Requirements increase. Complexity compounds. And instead of building capacity to meet the rising bar, organizations quietly lower the specificity of their commitments.
β¬οΈ
12.02.2026 19:52 β π 1 π 0 π¬ 1 π 0
6-day and IP Address Certificates are Generally Available
Short-lived and IP address certificates are now generally available from Letβs Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscr...
This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured.
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
16.01.2026 16:26 β π 3 π 1 π¬ 0 π 0
Short-lived and IP certificates make it possible to use TLS before a DNS name exists, reduce friction for DNS over HTTPS adoption, secure ephemeral devices and services by default, and shift trust from long-lived credentials to automated renewal.
π
16.01.2026 16:26 β π 2 π 0 π¬ 1 π 0
Short-lived and IP address certificates are now generally available from Letβs Encrypt.
Modern infrastructure no longer has stable hostnames, static IPs, or long-lived trust anchors. Workloads spin up before DNS exists, live briefly, and disappear. Trust has to keep up.
π
16.01.2026 16:26 β π 1 π 0 π¬ 1 π 0
TL;DR we've constructed an entire compliance industry around optimizing metrics that have become disconnected from the underlying reality they were supposed to measure.
24.12.2025 21:31 β π 2 π 0 π¬ 0 π 0
In complex systems, oversight that depends on snapshots will fail predictably. Data without continuous interpretation does not produce safety.
24.12.2025 21:31 β π 3 π 0 π¬ 1 π 0
Regulators oversee continuously changing systems using periodic exams. That mismatch is structural.
SVB wasnβt a surprise. Regulators had leading indicators and documented findings. Risk accumulated while interpretation and enforcement lagged.
24.12.2025 21:31 β π 3 π 0 π¬ 1 π 0
The whole premise of a compliance team governing complex systems they barely understand is broken. Compliance in a complex system has to be a continuous team sport, a natural byproduct of the way teams work. Not an annual bolt-on.
24.12.2025 21:08 β π 9 π 2 π¬ 2 π 0
The same will be true everywhere. Scale and velocity outpace our ability to reason. The audit still passes. The gap just grows faster.
24.12.2025 20:57 β π 5 π 0 π¬ 1 π 0
Now consider that AI is writing 30% of the code at Google and Microsoft. The humans who understood what the system does, and whether it matches what the policy claims, understand less every quarter.
24.12.2025 20:57 β π 6 π 0 π¬ 1 π 0
Enron passed their audits. Wirecard passed their audits. Every distrusted CA passed their audits. Auditors are paid to confirm compliance, not to find problems. When the measure becomes the target - and the measurer is incentivized to pass you - it stops measuring anything.
24.12.2025 20:44 β π 7 π 0 π¬ 1 π 0
PLCs on the internet -> MCP servers on the internet.
Evolution happened. Learning didnβt.
Weβre rebuilding ICS - this time with agency!
23.12.2025 01:52 β π 2 π 0 π¬ 0 π 0
The Impossible Equation | UNMITIGATED RISK
I wrote up some thoughts on how we got here: unmitigatedrisk.com?p=1116
05.12.2025 04:38 β π 0 π 0 π¬ 0 π 0
The GRANITE Act, which tries to rein in extraterritorial overreach in tech regulation, got me thinking.π
05.12.2025 04:38 β π 0 π 0 π¬ 1 π 0
Attestation, What It Really Proves and Why Everyone Is About to Care | UNMITIGATED RISK
Attestation, What It Really Proves and Why Everyone Is About to Care unmitigatedrisk.com?p=1114
03.12.2025 03:44 β π 4 π 2 π¬ 0 π 0
I also use this as a kind of low pass filter. Itβs reasonable to expect a security leader to understand the concepts behind the systems they protect. You donβt need to be an expert to grasp the abstract properties; itβs an opportunity to practice humility and curiosity as well.
07.11.2025 18:24 β π 11 π 0 π¬ 1 π 0
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
07.11.2025 16:57 β π 83 π 8 π¬ 15 π 8
AI can lift human dignity by opening doors to more people and adapting to how we think, letting us focus on what matters. But only if we design it right and keep monitoring its work. π
25.10.2025 23:10 β π 0 π 0 π¬ 1 π 0
No a few years ago they switched to their own root store. They do pull in certificates that the user adds but not the platform root store.
04.09.2025 10:35 β π 0 π 0 π¬ 0 π 0
Another Sleeping Giant: Microsoftβs Root Program and the 1.1.1.1 Certificate Slip | UNMITIGATED RISK
The bigger issue? Microsoftβs root program still trusts this CA, leaving Edge and Windows users exposed in ways Chrome, Firefox, and Safari users arenβt.
The pattern is familiar: long-lived trust, weak oversight, systemic risk. Itβs time for Microsoft to step up and fund proper root governance.
π
03.09.2025 22:23 β π 3 π 1 π¬ 2 π 0
This morning, a serious WebPKI incident surfaced: a tiny CA misissued certificates for 1.1.1.1 - Cloudflareβs DNS service.
With BGP hijacks happening regularly, those certs could enable full man-in-the-middle attacks.
π
03.09.2025 22:23 β π 3 π 0 π¬ 1 π 0
Secure Code Trainer - Best-selling author of Alice and Bob Learn Secure Coding & Alice and Bob Learn Application Security. #AppSec she/her
https://shehackspurple.ca π»
Christian, husband, dad. Vice President of the United States.
jdvance.com
southern drawl. applied crypto. disinfo research. tradecraft historian. street baller. bats left. electric + bass player. trail runner. 4x dad. 2 dogs. erdΕs-bacon #6. cryptography @ duke. security @ panw. justintroutman.com
Threat researcher, human rights supporter, obsessive reader, marathon runner, eternal traveler, serial migrant, music blogger, lapsed mathematician.
https://lapsedordinary.net/
Signal: martijngrooten.37
Cybersecurity Reporter, Ars Technica: https://arstechnica.com/author/dan-goodin/ Hungry for tips. Text me on Signal: DanArs.82. "The world isnβt run by weapons anymore, or energy, or money. Itβs run by little 1s and 0s, little bits of data."
π€ Internet policy nerd
π @InternetSociety.bsky.social "Senior Expert"
π Always learning
βΎ ποΈ NY sports & DC life
Professor, Stanford Law School.
Senior Fellow, Hoover Institution.
Author, The Digital 4th Amendment:
https://www.amazon.com/Digital-Fourth-Amendment-Privacy-Policing/dp/0190627077/ref=tmm_hrd_swatch_0
Redefining Hardware Acceleration for High-Speed Cryptography, from Software to Silicon π§
Start here: dev.ingonyama.com
Sr Director of Product @cloudflare. Ex-@GitHub, @Microsoft. Tech, politics, trivia, and sci-fi nerd. When I'm not here, I'm sailing or cycling.
https://www.jhutchings.net
Interested in Cryptography and Politics | UofM 25' | DM for Media Requests
@jbis9051 on Twitter
blog.joshbrown.info
Security person. Formerly @ Federal Reserve, FB, Coinbase.
See Starting Up Security @ http://scrty.io
music, arlington, software development, red sox
President of Signal, Chief Advisor to AI Now Institute
Bootstrapped founder of SSLMate (https://sslmate.com). Making SSL certificates easier and doing #WebPKI and #CertificateTransparency research on the side. Blog: https://www.agwa.name He/him
Cryptography at @ SandboxAQ and ex-@ Google. PhD in Computer Networks Security. 10xMarathon.
Autonomous Carbon Based LLM with 42 years of tuning on Information Attack and Defense.
Host of CanSecWest, and PacSec.
Security audits, code, IR, LLM, red team consulting.
Specialize in Firmware, and RF.
VA7MOV
CEO & Co-founder at Corridor.
Previously: Senior Technical Advisor at CISA, TechCongress in the Senate, Krebs Stamos Group, CISA, Defense Digital Service, and Stanford.
Currently: Hacker / Farmer / Builder / Breaker
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
